U.S. patent application number 13/423977 was filed with the patent office on 2012-09-20 for usb firewall apparatus and method.
This patent application is currently assigned to Cybernet Systems Corporation. Invention is credited to Charles J. Jacobus, Chris C. Lomont.
Application Number | 20120240234 13/423977 |
Document ID | / |
Family ID | 46829566 |
Filed Date | 2012-09-20 |
United States Patent
Application |
20120240234 |
Kind Code |
A1 |
Lomont; Chris C. ; et
al. |
September 20, 2012 |
USB FIREWALL APPARATUS AND METHOD
Abstract
Apparatus and methods prevent malicious data in Universal Serial
Bus (USB) configurations by providing a hardware firewall. A
hardware device interconnected between a host and the USB monitors
communication packets and blocks packets having unwanted or
malicious intent. The device may act as a hub, enabling multiple
devices to connect to a single host. The device may only allow mass
storage packets from a device recognized as a mass storage device.
The device may block enumeration of unwanted devices by not
forwarding packets between the device and the host. The device may
be operative to assign a bogus address to a malicious device so as
not to transfer communications from the device further up the chain
to the host. The device may provide shallow or deep packet
inspection to determine when a trusted device is sending possible
malicious data, or provide packet validation to block packets that
are malformed.
Inventors: |
Lomont; Chris C.; (Ann
Arbor, MI) ; Jacobus; Charles J.; (Ann Arbor,
MI) |
Assignee: |
Cybernet Systems
Corporation
Ann Arbor
MI
|
Family ID: |
46829566 |
Appl. No.: |
13/423977 |
Filed: |
March 19, 2012 |
Related U.S. Patent Documents
|
|
|
|
|
|
Application
Number |
Filing Date |
Patent Number |
|
|
61453777 |
Mar 17, 2011 |
|
|
|
Current U.S.
Class: |
726/24 |
Current CPC
Class: |
G06F 21/85 20130101 |
Class at
Publication: |
726/24 |
International
Class: |
G06F 21/00 20060101
G06F021/00 |
Claims
1. A computer security device, comprising: a hardware unit
interconnected between a Universal Serial Bus (USB) device and a
host, the unit including a bus controller interfaced to a memory;
and wherein the controller is operative to: (a) monitor
communication packets associated with data exchanges between the
bus and the host, (b) log the data exchanges in the memory, and (c)
block communication packets unwanted or malicious intent from
reaching the host.
2. The computer security device of claim 1, wherein the unit only
allows mass storage packets from a device recognized as a mass
storage device.
3. The computer security device of claim 1, wherein the unit blocks
enumeration of unwanted devices by not forwarding packets between
the device and the host.
4. The computer security device of claim 1, wherein the unit is
operative to assign a bogus address to a malicious device so as not
to transfer communications from the device further up the chain to
the host.
5. The computer security device of claim 1, wherein the unit
provides shallow or deep packet inspection to determine when a
trusted device is sending possible malicious data.
6. The computer security device of claim 1, wherein the unit
further provides packet validation to block packets that are
malformed.
7. The computer security device of claim 1, wherein the unit is
interfaced to the host through an optically isolated bus.
8. The device of claim 1, wherein the unit acts as a hub enabling
multiple devices to connect to a single host.
9. The device of claim 1, wherein: the unit interfaces to the host
through a first USB connector; and the unit interfaces to the USB
through a second USB connector.
10. A method protecting a computer from network attacks, comprising
the steps of: monitoring and logging communication packets
associated with data exchanges between a host and a Universal
Serial Bus (USB) to which the host is connected; determining if the
communication packets are unwanted or have malicious intent; and,
if so: blocking those packets from reaching the host.
11. The method of claim 10, including the step of allowing mass
storage packets from a device recognized as a mass storage
device.
12. The method of claim 10, including the enumeration of unwanted
devices by not forwarding packets between the device and the
host.
13. The method of claim 10, including the step of assigning a bogus
address to a malicious device so as not to transfer communications
from the device further up the chain to the host.
14. The method of claim 10, including the step of providing shallow
or deep packet inspection to determine when a trusted device is
sending possible malicious data.
15. The method of claim 10, including the step of providing packet
validation to block packets that are malformed.
Description
REFERENCE TO RELATED APPLICATION
[0001] This application claims priority from U.S. Provisional
Patent Application Ser. No. 61/453,777, filed Mar. 17, 2011, the
entire content of which is incorporated herein by reference.
FIELD OF THE INVENTION
[0002] This invention relates generally to computer security and,
in particular, to apparatus and methods that prevent malicious data
in Universal Serial Bus (USB) configurations by providing a
hardware firewall.
BACKGROUND OF THE INVENTION
[0003] The Universal Serial Bus (USB) is a common interconnect
format for computer devices. Data is transmitted over a serial
connection between a host and a device. Each device is assigned an
address form 0-127, allowing multiple devices to communicate with
the same host using the same wires.
[0004] The USB specification allows multiple device classes,
including but not limited to keyboards, mice, printers, mass
storage, video, and vendor specific items. Some physical devices
appear as two or more logical USB devices, such as a webcam that
has an audio and a video USB connection. USB data is sent in
packets, some of which signal devices being added or removed. Other
packet types are data, signaling such as acknowledgement of data
received or ready, and other types.
[0005] Malicious USB devices have been created that utilize
weaknesses in the USB infrastructure to attack unprotected hosts
and devices through combinations of malformed packets, device
spoofing, electrical tricks, and other methods. For example, a
flash drive may have a keyboard controller hidden in it that only
activates after the drive has been inserted for some length of
time. The keyboard activates, unsuspecting USB infrastructure
connects it to the PC, and the keyboard sends commands for
malicious activity on the host PC. There are many other types of
attacks.
SUMMARY OF THE INVENTION
[0006] This invention is directed to apparatus and methods that
prevent malicious data in Universal Serial Bus (USB) configurations
by providing a hardware firewall. A computer security device
according to the invention comprises a hardware unit interconnected
between a Universal Serial Bus (USB) device and a host. The device,
which may include a memory to log data exchanges, monitors
communication packets associated with data exchanges between the
bus and the host and blocks packets having unwanted or malicious
intent.
[0007] In some embodiments, the device may only allow mass storage
packets from a device recognized as a mass storage device. The
device may block enumeration of unwanted devices by not forwarding
packets between the device and the host. The device may be
operative to assign a bogus address to a malicious device so as not
to transfer communications from the device further up the chain to
the host. The device may provide shallow or deep packet inspection
to determine when a trusted device is sending possible malicious
data, or provide packet validation to block packets that are
malformed.
[0008] In the preferred embodiment, the device acts as a hub,
enabling multiple devices to connect to a single host. The device
may interface to the host through a first USB connector, and
interface to the USB through a second USB connector. For added
security, the device may be interfaced to the host through an
optically isolated bus. Methods of use are also disclosed and
claimed herein.
BRIEF DESCRIPTION OF THE DRAWINGS
[0009] FIG. 1 is a block diagram of a USB firewall device
constructed in accordance with the present invention; and
[0010] FIG. 2 illustrates transfer between the device and a host,
which are broken into transactions, and which are further broken
into packets.
DETAILED DESCRIPTION OF THE INVENTION
[0011] This invention prevents malicious data in USB configurations
by providing a hardware firewall. All USB data is sent between a
device and a host. The firewall sites physically between them,
either acting as a hub (which connects multiple devices to a single
host) or acting passively by sitting on the wire to listen to
traffic. In the latter case it does not change traffic but
nevertheless monitors and logs data.
[0012] The firewall, depicted schematically in FIG. 1 includes a
hardware monitor that sits between two communicating USB endpoints
and monitors USB data. The device stops communication packets it
deems are not wanted by the user or that have malicious intent. For
example, a user could set the hardware to only allow mass storage
packets from a device that should only be mass storage.
[0013] The firewall can stop malicious device types by monitoring
the USB pipes (connections between device and host) and watching
for new connection enumeration. When a new device tries to connect
to the system, the host enumerates the device by first noticing
changes on the bus, then performing transfers that obtain the
device information. The device responds to the host through a
specified endpoint which the device can monitor.
[0014] The firewall can block enumeration of devices that are not
allowed to pass the firewall by not forwarding packets between the
device to the host. The firewall assigns an address to the
malicious device and makes the device think it was on a valid host,
but would not transfer the communication further up the chain to
the host.
[0015] Interactions between device and host are carried out through
transfers, which are broken into transactions, which are further
broken into packets (FIG. 2). Each packet has components detailing
which device the packet refers to. Using this addressing, the
firewall could assign addresses to devices it wants to block and
other addresses to devices that are cleared to pass through, and
the firewall would sort communication based on device address. This
allows filtering communication by device on the untrusted side of
the firewall.
[0016] For packets that are allowed through, the device provides
shallow or deep packet inspection to determine when a trusted
device is sending possible malicious data. One example would be to
detect file transfers from mass storage devices and examine the
files as they pass through. Another example detects images coming
from a camera and scans the image headers for valid parameters.
[0017] This device can also provide a level of validation on the
packets to ensure they are not malformed. Malformed packets can be
designed to exploit weaknesses or errors in USB implementations,
such as buffer overflows. For example, checking that fields in
packets are correctly formed gives a second layer of protection
against poorly implemented hardware that may be susceptible to
invalid fields or invalid combinations of fields.
[0018] This device can electrically isolate the two connections to
prevent electrical attacks, for example by using an optically
isolated bus.
* * * * *